10 Critical Questions to Ask Your SAP Security Vendor

Selecting an SAP security partner is a high-stakes decision. Generic cybersecurity tools cannot effectively secure the business-critical applications that run the global economy. When evaluating a vendor, determine if they simply scan for known issues or if they offer a comprehensive, research-driven platform capable of stopping sophisticated threats.

Use these 10 questions to cut through the marketing noise and find a partner capable of protecting your SAP landscape.

1. How deep is your expertise in SAP specifically?

SAP security requires specialized knowledge that generalist vulnerability scanners lack. Generic tools often miss the proprietary protocols and complex logic layers unique to SAP applications.

Why It Matters

Generalist security tools often treat SAP like any other server. This approach misses critical application-layer risks. You need a solution built specifically for the ABAP and Java stacks that power your business.

The Onapsis Standard

We specialize deeply in SAP rather than offering broad, shallow support. Onapsis is the only dedicated SAP application cybersecurity and compliance solution that is also an SAP Endorsed App. This distinction validates our deep integration, quality, and effectiveness directly from SAP.

2. Do you have a dedicated research team discovering zero-day vulnerabilities?

A vendor without an internal research team is always reacting to yesterday’s news. Effective security requires proactive discovery of new threat vectors before attackers can exploit them.

Why It Matters

Relying solely on public vulnerability feeds exposes you during the critical window between discovery and patch availability.

The Onapsis Standard

Onapsis Research Labs is the only dedicated research team in the world outside of SAP tasked with discovering and disclosing SAP vulnerabilities. We have discovered over 1,000 vulnerabilities to date, including critical threats like RECON, P4CHAINS, and Elephant Beetle. Our research feeds directly into our platform to provide automatic protection.

3. What is your official relationship with SAP?

Close collaboration with SAP ensures your security tools are compatible, certified, and ahead of the curve. A vendor operating in isolation may break your customized environments or lag behind SAP’s release cycle.

Why It Matters

You need a partner that works with your ERP provider. This ensures faster access to patches and seamless integration with SAP ecosystems.

The Onapsis Standard

Onapsis works hand-in-hand with the SAP product security team on vulnerability discovery and patch validation. Our platform is SAP Endorsed which ensures certified compatibility and trusted performance. Furthermore, our collaboration extends to external education, as seen on the SAP Security Researcher Acknowledgments page.

4. How quickly can your solution detect and mitigate new SAP threats?

Speed is critical because threat actors often exploit vulnerabilities within hours of their disclosure. If your vendor relies on monthly scan cycles, your systems remain exposed.

Why It Matters

SAP patching processes are complex and time-consuming. Security teams need “virtual patching” capabilities to protect systems while the Basis team tests and deploys official fixes.

The Onapsis Standard

Onapsis Defend delivers pre-patch protection and threat intelligence updates directly from Onapsis Research Labs. This allows enterprises to close the window of exposure immediately and protects systems before the official SAP patch is applied.

5. Does your platform cover on-premise, cloud, and hybrid landscapes (RISE, BTP, S/4HANA)?

Modern SAP landscapes are hybrid, so your security visibility must be unified across all environments. A tool that only secures on-premise ECC cannot protect you during a cloud transformation.

Why It Matters

Digital transformation initiatives like RISE with SAP introduce new shared responsibility models and cloud-specific risks that legacy tools miss.

The Onapsis Standard

Onapsis provides comprehensive coverage across the entire SAP landscape. From legacy on-premise ABAP and J2EE systems to modern cloud environments like SAP BTP, S/4HANA Cloud, and RISE with SAP, we provide a single control plane for your business-critical applications.

6. How do you align security with audit and compliance outcomes?

Security should reduce audit fatigue rather than add to it. The right solution automates manual evidence collection and connects technical risks to business impacts.

Why It Matters

Manual audits are expensive and prone to error. They provide only a point-in-time snapshot of compliance. Modern enterprises require automated compliance to remain audit-ready year-round.

The Onapsis Standard

Onapsis connects technical risk to business impact. We offer automated compliance reporting for SOX, GDPR, and NIST. This capability drastically reduces the manual burden on your team while ensuring you can prove compliance to auditors at any moment.

7. Can your solution detect active exploitation or lateral movement?

Static configuration checks are not enough; you must be able to detect an attack in progress. Many vendors effectively take a “photo” of your security posture but miss the “video” of an active break-in.

Why It Matters

Sophisticated threat actors can bypass static defenses. You need continuous monitoring that identifies unauthorized changes, misuse, and lateral movement in real-time.

The Onapsis Standard

We uniquely combine application-layer monitoring with threat intelligence to detect active exploitation attempts. This capability is validated through our joint threat reports with major intelligence firms like Flashpoint and Mandiant.

8. How well does your solution integrate with our existing SOC (SIEM, SOAR)?

SAP security cannot exist in a silo; it must be part of your broader SOC ecosystem. Your analysts should be able to see SAP alerts alongside endpoints and network data.

Why It Matters

If SAP alerts do not reach your SIEM, your SOC is blind to attacks on your most critical assets.

The Onapsis Standard

Onapsis integrates seamlessly with industry-leading platforms like Microsoft Sentinel, Splunk, and ServiceNow. We enrich your enterprise SIEM with context-rich SAP threat data. This allows your SOC to investigate and automate remediation workflows without needing to be SAP experts.

9. How do you support secure SAP transformation and code migration?

Transformations are high-risk events that require securing custom code before it reaches production. Migrating insecure code to S/4HANA or the cloud simply migrates your risk.

Why It Matters

Custom code is a leading attack vector. Manual code reviews are too slow for modern DevOps pipelines.

The Onapsis Standard

Trusted by major systems integrators like Deloitte and Accenture, Onapsis Control scans over 900,000 lines of SAP code per minute. We help organizations identify and remediate code vulnerabilities early in the development lifecycle (DevSecOps) to ensure a secure go-live.

10. Does your platform run independently of the SAP application layer?

The architecture of your security tool dictates its resilience. You must determine if the vendor relies on an “embedded” tool running inside SAP or an “independent” platform running outside of it.

Why It Matters

Embedded tools create a critical Single Point of Failure (SPOF). If your SAP application goes down due to a crash or attack, your embedded security tool goes down with it. You are left blind exactly when you need visibility the most. Furthermore, an attacker with privileged access (like SAP_ALL) can easily disable internal monitoring tools to hide their tracks.

Embedded tools also drain system resources. They force your security scans to compete for CPU and memory against your core finance and supply chain processes.

The Onapsis Standard

Onapsis utilizes an independent, external architecture. Our platform runs on its own dedicated resources. This ensures zero performance load on your production environment. Most importantly, it serves as an objective “source of truth” that remains online and tamper-proof even if the SAP system itself is compromised or offline.

Next Steps

Are you ready to ask the hard questions? Reach out to an Onapsis expert to see how we answer them and how we can help you secure your business-critical applications.